A New Quantum Private Protocol for Set Intersection Cardinality Based on a Quantum Homomorphic Encryption Scheme for Toffoli Gate

Set Intersection Cardinality (SI-CA) computes the intersection cardinality of two parties’ sets, which has many important and practical applications such as data mining and data analysis. However, in the face of big data sets, it is difficult for two parties to execute the SI-CA protocol repeatedly. In order to reduce the execution pressure, a Private Set Intersection Cardinality (PSI-CA) protocol based on a quantum homomorphic encryption scheme for the Toffoli gate is proposed. Two parties encode their private sets into two quantum sequences and encrypt their sequences by way of a quantum homomorphic encryption scheme. After receiving the encrypted results, the semi-honest third party (TP) can determine the equality of two quantum sequences with the Toffoli gate and decrypted keys. The simulation of the quantum homomorphic encryption scheme for the Toffoli gate on two quantum bits is given by the IBM Quantum Experience platform. The simulation results show that the scheme can also realize the corresponding function on two quantum sequences.


Introduction
Secure multiparty computation (SMC) [1][2][3] is a crucial cryptographic primitive which fits the following description: Assume that there is a function typically specified by a map F : ({0, 1} * ) n → ({0, 1} * ) n and a set of n parties, P = {P 1 , ..., P n }, who want to compute values of this function with respect to their private data. Each party P i has its input x i ∈ {0, 1} * and output y i ∈ {0, 1} * , following correspondence y i = F (x i ). Our target is to ensure that all parties in a subset C ⊂ P receive correct outputs from others while no information related to the input can be accessed. SMC has raised widespread concerns and has wide applications in electronic voting, cloud computing, online auction, etc.
A typical SMC [4] application is Private Set Intersection (PSI), which also known as Private Matching (PM). Specifically, PSI permits two parties, P 1 and P 2 , who respectively have a private set x 1 and x 2 . Without disclosing any information that does not belong to this intersection, they seek to find the intersection x 1 ∩ x 2 . There have been many applications of PSI, such as privacy-preserving data mining [5], data outsourcing on cloud [6], location-based privacy-preserving sharing [7], testing of fully-sequenced human genomes [8], proximity testing [9], and other online services [10].
Due to the extensive and important applications, there have been many suggestions for PSI protocols. In 2004, Freedman et al. [4] first gave the definition of PSI and presented several PSI protocols by using homomorphic encryption and balanced hashing. Homomorphic encryption was first proposed by Rivest et al. in 1978 [11]. A new symmetric homomorphic functional encryption using modular multiplications over a hidden ring was proposed [12]. Then, some PSI protocols were proposed based on classical cryptography [13][14][15][16]. However, PSI reveals too much private information and it cannot meet the higher privacy requirements in some scenarios. In this case, Private Set Intersection Cardinality (PSI-CA) [17] was introduced, which can securely determine the size of set intersection and can be used to generate association rules. In [18], a PSI-CA protocol was the first to achieve security in the standard model under the Quadratic Residuosity QR assumption with linear complexities, which can hide the size of the client's private set. In [19], a PSI-CA protocol was proposed, which had linear computation and communication complexities and was the most efficient PSI-CA protocol in previously proposed PSI-CA protocols [18,19]. PSI-CA only outputs the intersection cardinality and does not reveal the specific content of the intersection. The security of classical PSI-CA protocols is based on the computational complexity assumptions, which are vulnerable to attack by the quantum algorithms [20][21][22].
On the other hand, scholars began to seek a quantum approach to solving the PSI-CA problem. In [23], Shi et al. presented two quantum protocols to solve the Oblivious Setmember Decision problem. These protocols can be used to privately compute multi-party set intersection and union in the quantum domain. In [24], Shi et al. informally gave a definition of PSI first. Then they presented a quantum scheme for PSI based on n encoded states, n quantum operators, and n von Neumann measurements. In [25], Arpita gave a two-party protocol for computing set intersection securely in the quantum domain in a rational setting, where the players are trying to maximize their utilities. However, PSI reveals too much private personal information in some scenarios. In order to prevent revealing the specific content, Shi et al. proposed some quantum protocols of PSI-CA [26][27][28]. PSI-CA and PSU-CA enable two parties, each with a private set, to jointly compute the cardinality of their intersection or union without disclosing any private information about their respective sets. These protocols are useful in social networks and for privacy-preserving data mining.
In this paper, following the idea in [26], we propose a PSI-CA protocol based on a quantum homomorphic encryption scheme for the Toffoli gate. With the help of a semihonest TP, two parties can use this protocol to privately obtain the number of all their private sets' common elements. When the amount of data is large, two parties, which do not have strong quantum computing capabilities, only prepare and encrypt quantum single-particle states. The role of semi-honest TP is to execute the protocol loyally and record all the results of its intermediate computations. However, the TP cannot learn anything about the private information. In our protocol, the semi-honest third party (TP) can be used to perform Toffoli gate and decryption operations. It will keep a record of all its intermediate results and might try to infer the private inputs from the record. Our protocol is simpler and easier to implement. This paper is organized as follows: we introduce some correlative preliminaries in Section 2; we propose a quantum PSI-CA protocol in Section 3; in Section 4, we analyze the correctness and security of our protocol and describe the implementation of our protocols on the IBM Quantum Experience platform. A brief discussion and the concluding summary are given in Section 5.

Pauli Gates
Some operators are introduced first. Four single-qubit operators I, X, Y, Z are shown as follows: The circuit symbols for the four single-qubit gates I, X, Y, Z are shown in Figure 1.

Quantum Toffoli Gate
The quantum Toffoli gate (called the T gate) is seen as an important component in the theory of quantum computation. The unitary transform matrix of the T gate is as follows: The T gate has three input bits and three output bits. For a three-qubit quantum system, |a |b |c , the quantum T gate will act as: The circuit symbol for the T gate is shown in Figure 2.

Information-Theoretic Security
In [23], the conception of mixed states is introduced and a quantum informationtheoretic security criterion for a quantum protocol is given as follows: The protocol is informationally secure for every input state ϕ in if the output state ϕ out is the totally mixed state. The relation of the input state ϕ in and the output state ϕ out is as follows: where ϕ in is the density operator of all possible n-qubit input states and U k are the corresponding unitary operations applied on input state.

Quantum Private Computation Protocol for Set Intersection Cardinality
We use the definition of PSI-CA [19]. Suppose that there are two parties, Alice and Bob. They input a private set S A = {a 1 , a 2 , ..., a n 1 } and S B = {b 1 , b 2 , ..., b n 2 }, respectively. S is a complete set {x 1 , x 2 , ..., x n } and S A , S B ⊂ S. After running the PSI-CA protocol with a help of the semi-honest third party, Calvin, Alice and Bob output the cardinality of the intersection of their private sets, i.e., |S A ∩ S B |, without leaking any information about their sets. The quantum scheme for PSI-CA is described as follows: (1) Alice and Bob each prepare a (n + n )-photon sequence, denoted by . The first n particles of Sq A , Sq B are prepared according to Alice's and Bob's private sets S A , S B : The last n particles of Sq A , Sq B are dummy photons, which are randomly chosen from {|0 , |1 }.
(2) Alice and Bob work together to find the number of ψ A i = ψ B i = |1 (i = n + 1, ..., n + n ), denoted by N CA ,which means how many bits are equal and equal to |1 in the last n particles of Sq A , Sq B .
They also permutate Sq A , Sq B using the same permutation regulation π. The new se- 2k are randomly chosen from {0, 1}. Then, she(he) uses the Quantum One-time Pad algorithm (QOTP) [25] to encrypt the kth ). Alice (Bob) also inserts some checking particles, which are randomly chosen from {|0 , |1 , |+ , |− }, into S A (S B ) and sends the new sequence S A (S B ) to the third party Calvin.
After that, Alice(Bob) transmits the insert positions Po A (Po B ) and L A (L B ) to Calvin using the quantum secure direct communication (QSDC) protocol. QSDC is one of the most important branches of quantum communication and it directly transmits secret messages.
(3) After receiving S A , S B , Alice, Bob, and Calvin perform the eavesdropping check using the insert positions Po A , Po B and the measuring bases of checking particles. If the error rate exceeds the threshold they preset, they abort the scheme. Otherwise, they discard the measured photons in S A , S B and Calvin gets two sequences S A = Calvin executes some operations on the ith quantum bits of S A , S B , S C and gets: Calvin measures ψ C i using the X basis and compares the measurement result with ψ C i . He also counts how many quantum bits ψ C i , ψ C i are different and the number is denoted by N CA . It is obvious that the intersection cardinality of S A , S B is equal to N CA − N CA .
We have to point out that if Alice and Bob apply a NOT gate on each particle of Sq A , Sq B in step(1), the private set union cardinality of S A , S B is equal to |S| − (N CA − N CA ) using the PSI-CA quantum protocol.

Correctness Analysis
In this section, we illustrate the correctness of our protocol. Figure 3 describes the circuit U used to privately apply the T gate on ψ = 1, 2, ..., n + n , Alice, Bob and Calvin can use the circuit U to privately According to the circuit U, it can be verified that According to Equations (7)- (22), we can obtain Calvin Then they can get T(|1 |0 |1 ), T(|0 |1 |0 ), T(|1 |1 |0 ) and the new photon sequence of Calvin is |1 ⊕ (1 · 0) |0 ⊕ (0 · 1) |0 ⊕ (1 · 1) . Only the third photon in Calvin's new sequence |0 ⊕ (1 · 1) = |1 } is different from the third photon of his original sequence |0 }. So we can get that Alice and Bob have only one common element in S A , S B .

Implementation of Quantum PSI-CA Protocols on IBM Quantum Experience Platform
Now, we move forward through a similar approach to experimentally realize our PSI-CA protocol on the IBM Quantum Experience platform. Let us say the two parties, Alice and Bob, have a private set S A and S B , respectively, where S is a complete set and S A , S B ∈ S. For the encoding procedure, S A and S B are encoded into two (n + n )-particle sequences. Alice, Bob, and Calvin can privately apply the T gate on their corresponding position particles using the IBM Quantum Experience platform. The measuring results of Calvin's particle are related to the PSI-CA of S A , S B .
The circuit on the IBM Quantum Experience platform for privately computing for eight cases of T|ψ A0 |ψ B0 |ψ C0 and the experiment results with 1024 shots for eight cases on the quantum circuit are shown in Figures 4-11. In the experiment results' figures, the x-axis represents 16 measurement results, and each of them includes the T|ψ A0 |ψ B0 |ψ C0 and the information of l A0 , l A1 , l B0 , l B1 .The y-axis represents the frequency of each measurement result. The first three binary bits in the x-axis correspond to the output of T|ψ A0 |ψ B0 |ψ C0 and the following four binary bits in the x-axis are l A0 , l A1 , l B0 , l B2 .
In Figure 4, |ψ A0 = |1 , |ψ B0 = |1 , |ψ C0 = |1 . Take the measurement results "1101010", for example, in Figure 4, the last four bits 1010 represent the measurement results of l A0 , l A1 , l B0 , l B1 , which are used to control the gates in the quantum circuit. The first three bits 110 represent the new measurement result of |ψ A0 , |ψ B0 , |ψ C0 after operating the gates in the quantum circuit. From the frequency of each measurement result in Figure 4, it can be verified that no matter what the l A0 , l A1 , l B0 , l B1 is, the circuit will act as a T gate on |ψ A0 = |1 , |ψ B0 = |1 , |ψ C0 = |1 . Using the same analysis method, we can reach the same conclusion from the frequency of each measurement result in Figures 5-11.

Security Analysis
In this section, we verify the security of our quantum PSI-CA scheme by analyzing an external outside attack and a participant attack, respectively.

Outside Attacks
In terms of outside attacks, this protocol allows for outside eavesdroppers to attack the quantum channel and obtain Alice and Bob's particle sequences in step (2). Checking particles are introduced to to defend against it. With several checking particles inserted, the security checking procedure in Step (3) can detect the intercept-resend attack, the measurement-resend attack, the entanglement-measure attack, and the denial-of-service (DOS) attack with a nonzero probability.
In addition to this naive attack, there are some special forms of attack such as the delay photon Trojan horse attack, the invisible photon eavesdropping (IPE) Trojan horse attack, and the photon-number-splitting (PNS) attack, which are also available to outside eavesdroppers. In response to these attacks, we use several defenses. To defeat the delay-photon Trojan horse attack, we can use a photon-number splitter. To defeat the IPE attack, we can insert filters in front of their devices to filter out the photon signal with an illegitimate wavelength. To defeat the PNS attack, we can use the technology of beam splitters to split the sampling signals and judge whether these received photons are single photons or multiple photons. Therefore, the outside attacks are invalid to our protocol.

Participant Attack
Gao et al. proposed the term "participant attack" in Ref. [29], which has attracted much attention in the cryptanalysis of quantum cryptography. It underlines that malicious user attacks are typically more potent and should be given more consideration. We analyze the possibility that Alice, Bob, and Calvin could use participant attacks to learn knowledge about the private binary strings in our protocol. Since both Alice and Bob's sequences are sent to Calvin after processing, it is most critical to consider Calvin's behavior.
In our protocol, Calvin only gets two-particle sequences S A , S B . Calvin applies the T gate on each sequence in step (3).
According to the definition of information-theoretic security given in Section 2.3, we can know that the output state of step (2) in our protocol can be described as follows: These calculations indicate that all the states obtained by Calvin are just totally mixed states. So Calvin cannot learn Alice's and Bob's private binary strings from the particle sequences he obtained.

Comparison
The related quantum PSI-CA protocols in [27,28] required entangled states, other complicated oracle operators and measurements in high dimensional Hilbert space, hence it is more feasible with the current technologies than those proposed with entangled states. Compared with some recently proposed protocols [27,28], our proposed quantum PSI-CA protocol has the following advantages. First, it only needs to take single photons as quantum resources and to apply single operators and measurements. Obviously, it is more feasible to prepare these resources and implement these operators and measurements. Second, our new protocol is more robust and can easily use the fault tolerant technologies due to single photons. Therefore, our new quantum protocol for PSI-CA is more practical and feasible compared with the existing protocols.

Discussion and Conclusions
In summary, we give a novel quantum solution for PSI-CA. With the help of the quantum operators X, Z, and T, Calvin can help Alice and Bob obtain the PSI-CA results of their private sets after performing. Moreover, we provide a theoretical correctness study and use the Qiskit package to verify the scheme on the IBM Quantum Experience platform by way of a simulation experiment. In the end, we provide a security analysis of our protocol, which demonstrates that our protocol can resist various outside attacks, such as the disturbance attack, the Trojan horse attack, the intercept-resend attack, the entanglement-and-measure attack, and the man-in-the-middle attack. Additionally, it can also overcome the problem of information leakage with acceptable efficiency. Furthermore, we hope to extend our protocol for a generic case such as an n-qubit Toffoli gate and we also hope that our methods can provide some new ideas to solve more secure multi-party computations in the future.

Data Availability Statement:
The data presented in this study are available on request from the author.